Timing attack safe string comparison
Syntax
hash_equals(string $known_string, string $user_string): bool
Parameters
known_stringThe string of known length to compare against
user_stringThe user-supplied string
Return
Returns true when the two strings are equal, false otherwise.
Examples
1 · known_string user_string · equal
<?
$known_string = hash('sha384', 'Hello');
$user_string = hash('sha384', 'Hello');
$return = hash_equals($known_string, $user_string);
var_export($return);
?>true
2 · known_string user_string · unequal algorithm
<?
$known_string = hash('sha384', 'Hello');
$user_string = hash('md5', 'Hello');
$return = hash_equals($known_string, $user_string);
var_export($return);
?>false
3 · known_string user_string · unequal data
<?
$known_string = hash('sha384', 'Hello');
$user_string = hash('sha384', 'Good-bye');
$return = hash_equals($known_string, $user_string);
var_export($return);
?>false
